ect/passwd

20 Dec

Brought to you by —=> *KGB* —=>fh_foxhound@hotmail.com

Intro:    This file is ’bout the ect/passwd and everything that comes with it.

__disclaimer__

This file is for educational purpose only, blah blah, i am not responsable
for your actions and
stuff like that. My main purpose is to contribute my knowledge to you.

=======================
Let’s Start
=======================
*First of all it’s easy to get a passwd (password) file, but it is harder to
get a good one.
Good one? yes, a good one, there is only one Good one.
Okay only one good one, now tell me how 2 get the damn thing!

The oldest methode i know is the FTP://server.com.
Note: To do this ftp the server from your browser, not sum ftp progz or shit
like that.
Then you will ftp the server anonymously and you will see something like
this:

FTP Dir on server.com
———————
04/07/1999 12:00      Directory dev     <=— Devices
04/12/1999 12:00      Directory etc     <=— This one u want!
06/10/1998 12:00      Directory hidden  <=— Not important
03/22/2000 02:23      Directory pub     <=— Public stuff

As u can see this is a Unix system (duh windows doesnt have /ect/).
So we click on –=>ect

FTP Dir /ect on server.com
————————–
04/12/1999 12:00      601 group    <=— File with group/user names
04/12/1999 12:00      509 passwd   <=— Bingo!

So we click on the passwd file.
We see:

root:x:0:1:Super-User:/:/sbin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:

THIS IS USELESSSSSSS, why? see the X that means that the passwd is shadowed.
It’s a shadowed passwd file, very very hard to crack there is way 2 do it, a
program called
Deshadow would do the work they say, but deshadow is only to be run on your
own unix box.

root:x:0:1:Super-User:/:/sbin/bash
|   | | |       |    |     |
Login| | |       |    |     |
name | |group    |    |    shell (bash= bourne again shell)
| | id   fullname|
shadowed           |
passwd|             home
|              dir
userid

****
The “x” is called a token on some systems it is replaced by a “$” or “#” or
sometimes even the user name.
****

So now that the passwd file is useless, we are disapointed and just for the
fun of it all
we will take a look at the —=>group.
we see:

root::0:root
other::1:
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root
tty::7:root,tty,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
staff::10:
daemon::12:root,daemon
sysadmin::14:
nobody::60001:
noaccess::60002:
nogroup::65534:
sponsor::26:dlamb,marci,trs,wjtifft,sndesign,bswingle,sonny
star::22:nobody,trs,marci,dlamb,wjtifft,sndesign,bswingle,grossman
cron::30:root,rwisner,trs,grossman,bcauthor,starnews,kvoa,bswingle,uurtamo
nettools::29:root,rwisner,trs,grossman,bcauthor,bswingle,uurtamo
su::27:root,rwisner,trs,grossman,bcauthor,uurtamo,bswingle
ftp::60000:

What’s to say? a bunch a user names and group id’s (gid).

Sometimes you will find a file called pwd.db in the /ect dir. This is a
database file.
Unfortunatly this file is useless. Because in these file the passwords are
removed.
The spwd.db is the same kind of file but without the passwords removed.
Remember this about the files:

/etc/passwd     ASCII password file, with passwords removed
/etc/master.passwd  ASCII password file, with passwords intact
/etc/pwd.db     format password database, with passwords removed
/etc/spwd.db     format password database, with passwords intact

=======================
Let’s Move On
=======================
*Okay our attempt failed to retrieve a good passwd file, so now we are gonna
get a good one.
Note: On windows the passwd file is called .pwl

You can do the old FTP method on many servers, but lets talk about the Good
passwd file.
We use the same example as above:

root:Npge08pfz4wuk:0:1:Super-User:/:/sbin/bash
daemon:Fs2e08p34Cxw1:1:1::/:
bin:Npge08pfz4wuk:2:2::/usr/bin:

What u see and what u should notice is the jibberish (Npge08pfz4wuk) it is a
encrypted passwd.
Actually it is not encrypted but encoded.

——->>PASSWD Encoded info<<———

Encoded? that’s right, when the passwd is to be encoded with randomly
generated value called Salt.
There are 4096 salt values. So if you want to do a Dictionary Attack u will
have 2 try all the values.
So the Npge08pfz4wuk, the Np are the salt and the ge08pfz4wuk is the encoded
passwd.
Sometimes there is nothing no encodec passwd, no shadowed passwd, just an
empty space. This means that
there is no passwd!! this is a major security risk.
—————————————

Right about now u would want 2 download Jack the Ripper “Its primary purpose
is to detect weak UNIX passwords”
And use the Ripper to crack the passwd file.
When it is cracked u will have access to the server. =)

=======================
Final Notes
=======================
*Now u know a little about this shit, don’t forget the hardest part is
getting the passwd file.
the rest is easy compared 2 that.
Ofcourse i only showed one method of getting a passwd file.
To get a passwd file the other way, you first need to find a hole in the
services running
at various ports of the host.

I hope u know enough now.

GrtZ,

—=>KGB (fh_foxhound@hotmail.com)

2 Responses to “ect/passwd”

  1. Omar June 17, 2007 at 4:19 am #

    Where can I download Jack the ripper?, I mean, I have look on web searchers and I didn’t find. Thx in advance

  2. hobart November 23, 2009 at 8:39 pm #

    The man of virtue makes the difficulty to be overcome his first business, and success only a subsequent consideration.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: